Skip to content

chore(deps): update dependency @angular/compiler to v19.2.18 [security] #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency @angular/compiler to v19.2.18 [security] #83

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 2, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@angular/compiler (source) 19.2.119.2.18 age confidence

GitHub Vulnerability Alerts

CVE-2025-66412

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts.

Additionally, a related vulnerability exists involving SVG animation elements (<animate>, <set>, <animateMotion>, <animateTransform>). The attributeName attribute on these elements was not properly validated, allowing attackers to dynamically target security-sensitive attributes like href or xlink:href on other elements. By binding attributeName to "href" and providing a javascript: URL in the values or to attribute, an attacker could bypass sanitization and execute arbitrary code.

Attributes confirmed to be vulnerable include:

  • SVG-related attributes: (e.g., xlink:href), and various MathML attributes (e.g., math|href, annotation|href).
  • SVG animation attributeName attribute when bound to "href" or "xlink:href".

When template binding is used to assign untrusted, user-controlled data to these attributes (e.g., [attr.xlink:href]="maliciousURL" or <animate [attributeName]="'href'" [values]="maliciousURL">), the compiler incorrectly falls back to a non-sanitizing context or fails to block the dangerous attribute assignment. This allows an attacker to inject a javascript:URL payload. Upon user interaction (like a click) on the element, or automatically in the case of animations, the malicious JavaScript executes in the context of the application's origin.

Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

  • Session Hijacking: Stealing session cookies and authentication tokens.
  • Data Exfiltration: Capturing and transmitting sensitive user data.
  • Unauthorized Actions: Performing actions on behalf of the user.

Patches

  • 19.2.17
  • 20.3.15
  • 21.0.2

Attack Preconditions

  • The victim's Angular application must render data derived from untrusted input (e.g., from a database or API) and bind it to one of the unsanitized URL attributes or the attributeName of an SVG animation element.
  • The victim must perform a user interaction (e.g., clicking) on the compromised element for the stored script to execute, or the animation must trigger the execution.

Workarounds

If you cannot upgrade, you can workaround the issue by ensuring that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters).

  • Avoid Affected Template Bindings: Specifically avoid using template bindings (e.g., [attr.xlink:href]="maliciousURL") to assign untrusted data to the vulnerable SVG/MathML attributes.
  • Avoid Dynamic attributeName on SVG Animations: Do not bind untrusted data to the attributeName attribute of SVG animation elements (<animate>, <set>, etc.).
  • Enable Content Security Policy (CSP): Configure a robust CSP header that disallows javascript: URLs.

CVE-2026-22610

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.

Impact

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

  • Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
  • Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
  • Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

Attack Preconditions

  1. The victim application must explicitly use SVG <script> elements within its templates.
  2. The application must use property or attribute binding (interpolation) for the href or xlink:href attributes of those SVG scripts.
  3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

Patches

  • 19.2.18
  • 20.3.16
  • 21.0.7
  • 21.1.0-rc.0

Workarounds

Until the patch is applied, developers should:

  • Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements.
  • Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

Resources

Release Notes

angular/angular (@​angular/compiler)

v19.2.18

Compare Source

core
Commit Type Description
26cdc53d9c fix sanitize sensitive attributes on SVG script elements

v19.2.17

Compare Source

compiler
Commit Type Description
7c42e2ebeb fix prevent XSS via SVG animation attributeName and MathML/SVG URLs

v19.2.16

Compare Source

http
Commit Type Description
05fe6686a9 fix prevent XSRF token leakage to protocol-relative URLs

v19.2.15

Compare Source

Breaking Changes

core

  • The server-side bootstrapping process has been changed to eliminate the reliance on a global platform injector.

    Before:

    const bootstrap = () => bootstrapApplication(AppComponent, config);

    After:

    const bootstrap = (context: BootstrapContext) =>
  bootstrapApplication(AppComponent, config, context);

    A schematic is provided to automatically update main.server.ts files to pass the BootstrapContext to the bootstrapApplication call.

    In addition, getPlatform() and destroyPlatform() will now return null and be a no-op respectively when running in a server environment.

core
Commit Type Description
70d0639bc1 fix introduce BootstrapContext for improved server bootstrapping (#​63639)

v19.2.14

Compare Source

compiler
Commit Type Description
24bab55f0c fix lexer support for template literals in object literals (#​61601)
migrations
Commit Type Description
9e1cd49662 fix preserve comments when removing unused imports (#​61674)

v19.2.13

Compare Source

common
Commit Type Description
2c876b4fc5 fix avoid injecting ApplicationRef in FetchBackend (#​61649)
service-worker
Commit Type Description
b15bddfa04 fix do not register service worker if app is destroyed before it is ready to register (#​61101)

v19.2.12

Compare Source

common
Commit Type Description
126efc9972 fix cancel reader when app is destroyed (#​61528)
efda872453 fix prevent reading chunks if app is destroyed (#​61354)
compiler
Commit Type Description
44bb328eae fix avoid conflicts between HMR code and local symbols (#​61550)
compiler-cli
Commit Type Description
107180260f fix Always retain prior results for all files (#​61487)
1191e62d70 fix avoid ECMAScript private field metadata emit (#​61227)
core
Commit Type Description
2b1b14f4d3 fix cleanup rxResource abort listener (#​58306)
8f9b05eaaa fix cleanup testability subscriptions (#​61261)
eb53bda470 fix enable stashing only when withEventReplay() is invoked (#​61352)
94f5a4b4d6 fix Testing should not throw when Zone does not patch test FW APIs (#​61376)
c0c69a5abc fix unregister onDestroy in toSignal. (#​61514)
platform-server
Commit Type Description
8edafd0559 perf speed up resolution of base (#​61392)

v19.2.11

Compare Source

v19.2.10

Compare Source

common
Commit Type Description
89056a0356 fix cleanup updateLatestValue if view is destroyed before promise resolves (#​61064)
core
Commit Type Description
4623b61448 fix missing useExisting providers throwing for optional calls (#​61152)
400dbc5b89 fix properly handle app stabilization with defer blocks (#​61056)
platform-server
Commit Type Description
a6f0d5bc20 fix less aggressive ngServerMode cleanup (#​61106)

v19.2.9

Compare Source

core
Commit Type Description
946b844e0d fix async EventEmitter error should not prevent stability (#​61028)
dbb87026ca fix call DestroyRef on destroy callback if view is destroyed [patch] (#​61061)
2e140a136a fix prevent stash listener conflicts [patch] (#​61063)

v19.2.8

Compare Source

forms
Commit Type Description
ea4a211216 fix make NgForm emit FormSubmittedEvent and FormResetEvent (#​60887)

v19.2.7

Compare Source

common
Commit Type Description
37ab6814f5 fix issue a warning instead of an error when NgOptimizedImage exceeds the preload limit (#​60883)
core
Commit Type Description
b144126612 fix inject migration: replace param with this. (#​60713)
http
Commit Type Description
d39e09da41 fix Include HTTP status code and headers when HTTP requests errored in httpResource (#​60802)

v19.2.6

Compare Source

compiler
Commit Type Description
3441f7b914 fix error if rawText isn't estimated correctly (#​60529) (#​60753)
compiler-cli
Commit Type Description
fc946c5f72 fix ensure HMR works with different output module type (#​60797)
core
Commit Type Description
00bbd9b382 fix fix docs for output migration (#​60764)
f2bfa3151e fix fix ng generate @​angular/core:output-migration. Fixes angular#​58650 (#​60763)
9241615ad0 fix reduce total memory usage of various migration schematics (#​60776)
language-service
Commit Type Description
0e82d42774 fix Do not provide element completions in end tag (#​60616)
fcdef1019f fix Ensure dollar signs are escaped in completions (#​60597)

v19.2.5

Compare Source

Commit Type Description
e61d06afb5 fix step 6 tutorial docs (#​60630)
animations
Commit Type Description
fa48f98d9f fix add missing peer dependency on @angular/common (#​60660)
compiler
Commit Type Description
ca5aa4d55b fix throw for invalid "as" expression in if block (#​60580)
compiler-cli
Commit Type Description
f4c4b10ea8 fix Produce fatal diagnostic on duplicate decorated properties (#​60376)
22a0e54ac4 fix support relative imports to symbols outside rootDir (#​60555)
core
Commit Type Description
64da69f7b6 fix check ngDevMode for undefined (#​60565)
8f68d1bec3 fix fix ng generate @​angular/core:output-migration (#​60626)
bc79985c65 fix fix regexp for event types (#​60592)
006ac7f22f fix fixes #​592882 ng generate @​angular/core:signal-queries-migration (#​60688)
da6e93f434 fix preserve comments in internal inject migration (#​60588)
dbbddd1617 fix prevent omission of deferred pipes in full compilation (#​60571)
language-service
Commit Type Description
0e9e0348dd fix Update adapter to log instead of throw errors (#​60651)
migrations
Commit Type Description
15f53f035b fix handle shorthand assignments in super call (#​60602)
4b161e6234 fix inject migration not handling super parameter referenced via this (#​60602)
router
Commit Type Description
958e98e4f7 fix Add missing types to transition (#​60307)
service-worker
Commit Type Description
7cd89ad2c6 fix assign initializing client's app version, when a request is for worker script (#​58131)

v19.2.4

Compare Source

core
Commit Type Description
081f5f5a83f fix fix used templates are not deleted (#​60459)
localize
Commit Type Description
a2f622d82d6 fix handle @​angular/build:karma in ng add (#​60513)
platform-browser
Commit Type Description
8e8ccc79279 fix ensure platformBrowserTesting includes platformBrowser providers (#​60480)

v19.2.3

Compare Source

compiler-cli
Commit Type Description
aa8ea7a5b2 fix report more accurate diagnostic for invalid import (#​60455)
core
Commit Type Description
13a8709b2b fix catch hydration marker with implicit body tag (#​60429)
296aded9da fix execute timer trigger outside zone (#​60392)
0615ffb4f7 fix include input name in error message (#​60404)
platform-browser-dynamic
Commit Type Description
1e06c8e8b6 fix ensure compiler is loaded before @angular/common (#​60458)
upgrade
Commit Type Description
9e1a1030c8 fix handle output emitters when downgrading a component (#​60369)

v19.2.2

Compare Source

common
Commit Type Description
90a16a1088 fix support equality function in httpResource (#​60026)
compiler
Commit Type Description
56b551d273 fix incorrect spans for template literals (#​60323) (#​60331)
compiler-cli
Commit Type Description
23ca88522b fix handle transformed classes when generating HMR code (#​60298)
core
Commit Type Description
6dc41265fd fix check whether application is destroyed before initializing event replay (#​59789)
bb12b30d52 fix ensures immediate trigger fires properly with lazy loaded routes (#​60203)
b144dd946e fix fix removal of a container reference used in the component file (#​60210)
platform-server
Commit Type Description
15c42969fc fix add missing peer dependency for rxjs (#​60308)
router
Commit Type Description
7bcdf7c143 fix update symbols (#​60233)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@changeset-bot
Copy link

changeset-bot bot commented Dec 2, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: b7648d2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

ellipsis-dev[bot]
ellipsis-dev bot reviewed Dec 2, 2025
View reviewed changes
Copy link

@ellipsis-dev ellipsis-dev bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skipped PR review on 84b4857 because no changed files had a supported extension. If you think this was in error, please contact us and we'll fix it right away.

@coderabbitai
Copy link

coderabbitai bot commented Dec 2, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codesandbox-ci
Copy link

codesandbox-ci bot commented Dec 2, 2025
edited
Loading

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

@socket-security
Copy link

socket-security bot commented Dec 2, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​angular/​compiler@​19.2.1 ⏵ 19.2.18100 +1100 +1679 +198100

View full report

@renovate renovate bot force-pushed the renovate/npm-angular-compiler-vulnerability branch from 84b4857 to b7648d2 Compare January 8, 2026 16:48
@renovate renovate bot changed the title chore(deps): update dependency @angular/compiler to v19.2.17 [security] chore(deps): update dependency @angular/compiler to v19.2.18 [security] Jan 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ellipsis-dev ellipsis-dev[bot] ellipsis-dev[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant